storj/cmd/uplinkng/access_permissions.go

// Copyright (C) 2021 Storj Labs, Inc.
// See LICENSE for copying information.

package main

import (
	"strconv"
	"time"

	"github.com/zeebo/clingy"
	"github.com/zeebo/errs"

	"storj.io/storj/cmd/uplinkng/ulloc"
	"storj.io/uplink"
)

// accessPermissions holds flags and provides a Setup method for commands that
// have to modify permissions on access grants.
type accessPermissions struct {
	prefixes []uplink.SharePrefix // prefixes is the set of path prefixes that the grant will be limited to

	readonly  bool // implies disallowWrites and disallowDeletes
	writeonly bool // implies disallowReads and disallowLists

	disallowDeletes bool
	disallowLists   bool
	disallowReads   bool
	disallowWrites  bool

	notBefore time.Time
	notAfter  time.Time
}

func (ap *accessPermissions) Setup(params clingy.Parameters) {
	ap.prefixes = params.Flag("prefix", "Key prefix access will be restricted to", []ulloc.Location{},
		clingy.Transform(ulloc.Parse),
		clingy.Transform(transformSharePrefix),
		clingy.Repeated,
	).([]uplink.SharePrefix)

	ap.readonly = params.Flag("readonly", "Implies --disallow-writes and --disallow-deletes", true,
		clingy.Transform(strconv.ParseBool), clingy.Boolean).(bool)
	ap.writeonly = params.Flag("writeonly", "Implies --disallow-reads and --disallow-lists", false,
		clingy.Transform(strconv.ParseBool), clingy.Boolean).(bool)

	ap.disallowDeletes = params.Flag("disallow-deletes", "Disallow deletes with the access", false,
		clingy.Transform(strconv.ParseBool), clingy.Boolean).(bool)
	ap.disallowLists = params.Flag("disallow-lists", "Disallow lists with the access", false,
		clingy.Transform(strconv.ParseBool), clingy.Boolean).(bool)
	ap.disallowReads = params.Flag("disallow-reads", "Disallow reasd with the access", false,
		clingy.Transform(strconv.ParseBool), clingy.Boolean).(bool)
	ap.disallowWrites = params.Flag("disallow-writes", "Disallow writes with the access", false,
		clingy.Transform(strconv.ParseBool), clingy.Boolean).(bool)

	now := time.Now()
	transformHumanDate := clingy.Transform(func(date string) (time.Time, error) {
		switch {
		case date == "none":
			return time.Time{}, nil
		case date == "":
			return time.Time{}, nil
		case date == "now":
			return now, nil
		case date[0] == '+' || date[0] == '-':
			d, err := time.ParseDuration(date)
			return now.Add(d), errs.Wrap(err)
		default:
			t, err := time.Parse(time.RFC3339, date)
			return t, errs.Wrap(err)
		}
	})

	ap.notBefore = params.Flag("not-before",
		"Disallow access before this time (e.g. '+2h', 'now', '2020-01-02T15:04:05Z0700')",
		time.Time{}, transformHumanDate, clingy.Type("relative_date")).(time.Time)
	ap.notAfter = params.Flag("not-after",
		"Disallow access after this time (e.g. '+2h', 'now', '2020-01-02T15:04:05Z0700')",
		time.Time{}, transformHumanDate, clingy.Type("relative_date")).(time.Time)
}

func (ap *accessPermissions) SetupWithPrefixArg(params clingy.Parameters) {
	ap.Setup(params)

	argPrefixes := params.Arg("prefix", "Key prefix access will be restricted to",
		clingy.Transform(ulloc.Parse),
		clingy.Transform(transformSharePrefix),
		clingy.Repeated,
	).([]uplink.SharePrefix)

	if argPrefixes != nil {
		ap.prefixes = argPrefixes
	}
}

func transformSharePrefix(loc ulloc.Location) (uplink.SharePrefix, error) {
	bucket, key, ok := loc.RemoteParts()
	if !ok {
		return uplink.SharePrefix{}, errs.New("invalid prefix: must be remote: %q", loc)
	}
	return uplink.SharePrefix{
		Bucket: bucket,
		Prefix: key,
	}, nil
}

func (ap *accessPermissions) Apply(access *uplink.Access) (*uplink.Access, error) {
	permission := uplink.Permission{
		AllowDelete:   ap.AllowDelete(),
		AllowList:     ap.AllowList(),
		AllowDownload: ap.AllowDownload(),
		AllowUpload:   ap.AllowUpload(),
		NotBefore:     ap.notBefore,
		NotAfter:      ap.notAfter,
	}

	// if we aren't actually restricting anything, then we don't need to Share.
	if permission == (uplink.Permission{
		AllowDelete:   true,
		AllowList:     true,
		AllowDownload: true,
		AllowUpload:   true,
	}) && len(ap.prefixes) == 0 {
		return access, nil
	}

	access, err := access.Share(permission, ap.prefixes...)
	if err != nil {
		return nil, errs.Wrap(err)
	}

	return access, nil
}

func (ap *accessPermissions) AllowDelete() bool {
	return !ap.disallowDeletes && !ap.readonly
}

func (ap *accessPermissions) AllowList() bool {
	return !ap.disallowLists && !ap.writeonly
}

func (ap *accessPermissions) AllowDownload() bool {
	return !ap.disallowReads && !ap.writeonly
}

func (ap *accessPermissions) AllowUpload() bool {
	return !ap.disallowWrites && !ap.readonly
}
cmd/uplinkng: initial commit with skeleton Change-Id: I764618cc60c46882955e9b08b72b3c162aa4929f 2021-03-31 16:56:34 +01:00			`// Copyright (C) 2021 Storj Labs, Inc.`
			`// See LICENSE for copying information.`

			`package main`

			`import (`
			`"strconv"`
			`"time"`

			`"github.com/zeebo/clingy"`
cmd/uplinkng: access creation/restriction and review fixes Change-Id: I649ae3615363685c28c39d1efb6a65fcad507f46 2021-06-22 23:41:22 +01:00			`"github.com/zeebo/errs"`

			`"storj.io/storj/cmd/uplinkng/ulloc"`
			`"storj.io/uplink"`
cmd/uplinkng: initial commit with skeleton Change-Id: I764618cc60c46882955e9b08b72b3c162aa4929f 2021-03-31 16:56:34 +01:00			`)`

			`// accessPermissions holds flags and provides a Setup method for commands that`
			`// have to modify permissions on access grants.`
			`type accessPermissions struct {`
cmd/uplinkng: access creation/restriction and review fixes Change-Id: I649ae3615363685c28c39d1efb6a65fcad507f46 2021-06-22 23:41:22 +01:00			`prefixes []uplink.SharePrefix // prefixes is the set of path prefixes that the grant will be limited to`
cmd/uplinkng: initial commit with skeleton Change-Id: I764618cc60c46882955e9b08b72b3c162aa4929f 2021-03-31 16:56:34 +01:00
			`readonly bool // implies disallowWrites and disallowDeletes`
			`writeonly bool // implies disallowReads and disallowLists`

			`disallowDeletes bool`
			`disallowLists bool`
			`disallowReads bool`
			`disallowWrites bool`

			`notBefore time.Time`
			`notAfter time.Time`
			`}`

cmd/uplinkng: update for breaking clingy changes clingy changed some and this is just fixes for that Change-Id: I729aed6329fe0988fcb9b4407f16966a753b3204 2021-05-25 00:11:50 +01:00			`func (ap *accessPermissions) Setup(params clingy.Parameters) {`
cmd/uplinkng: access creation/restriction and review fixes Change-Id: I649ae3615363685c28c39d1efb6a65fcad507f46 2021-06-22 23:41:22 +01:00			`ap.prefixes = params.Flag("prefix", "Key prefix access will be restricted to", []ulloc.Location{},`
			`clingy.Transform(ulloc.Parse),`
			`clingy.Transform(transformSharePrefix),`
			`clingy.Repeated,`
			`).([]uplink.SharePrefix)`

cmd/uplinkng: share command added In uplink we have command uplink share and we need to port it to uplinkng to have command with same functionality. Command could be executed with parameter or without. without any flags we share as readonly. Change-Id: I973b11d00da237358834acf5a863ebab37e684cc 2021-11-03 13:51:47 +00:00			`ap.readonly = params.Flag("readonly", "Implies --disallow-writes and --disallow-deletes", true,`
cmd/uplinkng: update clingy for better boolean support this allows commands like uplinkng cp -r sj://foo sj://bar to work correctly, rather than complain that sj://foo is not a boolean. Change-Id: I003e47aabb85566bc2b454851cf55043b17ee7ea 2021-12-09 19:21:52 +00:00			`clingy.Transform(strconv.ParseBool), clingy.Boolean).(bool)`
cmd/uplinkng: update for breaking clingy changes clingy changed some and this is just fixes for that Change-Id: I729aed6329fe0988fcb9b4407f16966a753b3204 2021-05-25 00:11:50 +01:00			`ap.writeonly = params.Flag("writeonly", "Implies --disallow-reads and --disallow-lists", false,`
cmd/uplinkng: update clingy for better boolean support this allows commands like uplinkng cp -r sj://foo sj://bar to work correctly, rather than complain that sj://foo is not a boolean. Change-Id: I003e47aabb85566bc2b454851cf55043b17ee7ea 2021-12-09 19:21:52 +00:00			`clingy.Transform(strconv.ParseBool), clingy.Boolean).(bool)`
cmd/uplinkng: initial commit with skeleton Change-Id: I764618cc60c46882955e9b08b72b3c162aa4929f 2021-03-31 16:56:34 +01:00
cmd/uplinkng: update for breaking clingy changes clingy changed some and this is just fixes for that Change-Id: I729aed6329fe0988fcb9b4407f16966a753b3204 2021-05-25 00:11:50 +01:00			`ap.disallowDeletes = params.Flag("disallow-deletes", "Disallow deletes with the access", false,`
cmd/uplinkng: update clingy for better boolean support this allows commands like uplinkng cp -r sj://foo sj://bar to work correctly, rather than complain that sj://foo is not a boolean. Change-Id: I003e47aabb85566bc2b454851cf55043b17ee7ea 2021-12-09 19:21:52 +00:00			`clingy.Transform(strconv.ParseBool), clingy.Boolean).(bool)`
cmd/uplinkng: update for breaking clingy changes clingy changed some and this is just fixes for that Change-Id: I729aed6329fe0988fcb9b4407f16966a753b3204 2021-05-25 00:11:50 +01:00			`ap.disallowLists = params.Flag("disallow-lists", "Disallow lists with the access", false,`
cmd/uplinkng: update clingy for better boolean support this allows commands like uplinkng cp -r sj://foo sj://bar to work correctly, rather than complain that sj://foo is not a boolean. Change-Id: I003e47aabb85566bc2b454851cf55043b17ee7ea 2021-12-09 19:21:52 +00:00			`clingy.Transform(strconv.ParseBool), clingy.Boolean).(bool)`
cmd/uplinkng: update for breaking clingy changes clingy changed some and this is just fixes for that Change-Id: I729aed6329fe0988fcb9b4407f16966a753b3204 2021-05-25 00:11:50 +01:00			`ap.disallowReads = params.Flag("disallow-reads", "Disallow reasd with the access", false,`
cmd/uplinkng: update clingy for better boolean support this allows commands like uplinkng cp -r sj://foo sj://bar to work correctly, rather than complain that sj://foo is not a boolean. Change-Id: I003e47aabb85566bc2b454851cf55043b17ee7ea 2021-12-09 19:21:52 +00:00			`clingy.Transform(strconv.ParseBool), clingy.Boolean).(bool)`
cmd/uplinkng: update for breaking clingy changes clingy changed some and this is just fixes for that Change-Id: I729aed6329fe0988fcb9b4407f16966a753b3204 2021-05-25 00:11:50 +01:00			`ap.disallowWrites = params.Flag("disallow-writes", "Disallow writes with the access", false,`
cmd/uplinkng: update clingy for better boolean support this allows commands like uplinkng cp -r sj://foo sj://bar to work correctly, rather than complain that sj://foo is not a boolean. Change-Id: I003e47aabb85566bc2b454851cf55043b17ee7ea 2021-12-09 19:21:52 +00:00			`clingy.Transform(strconv.ParseBool), clingy.Boolean).(bool)`
cmd/uplinkng: initial commit with skeleton Change-Id: I764618cc60c46882955e9b08b72b3c162aa4929f 2021-03-31 16:56:34 +01:00
cmd/uplinkng: access creation/restriction and review fixes Change-Id: I649ae3615363685c28c39d1efb6a65fcad507f46 2021-06-22 23:41:22 +01:00			`now := time.Now()`
			`transformHumanDate := clingy.Transform(func(date string) (time.Time, error) {`
			`switch {`
cmd/uplinkng: share command added In uplink we have command uplink share and we need to port it to uplinkng to have command with same functionality. Command could be executed with parameter or without. without any flags we share as readonly. Change-Id: I973b11d00da237358834acf5a863ebab37e684cc 2021-11-03 13:51:47 +00:00			`case date == "none":`
			`return time.Time{}, nil`
cmd/uplinkng: access creation/restriction and review fixes Change-Id: I649ae3615363685c28c39d1efb6a65fcad507f46 2021-06-22 23:41:22 +01:00			`case date == "":`
			`return time.Time{}, nil`
			`case date == "now":`
			`return now, nil`
			`case date[0] == '+' \|\| date[0] == '-':`
			`d, err := time.ParseDuration(date)`
			`return now.Add(d), errs.Wrap(err)`
			`default:`
			`t, err := time.Parse(time.RFC3339, date)`
			`return t, errs.Wrap(err)`
			`}`
			`})`

cmd/uplinkng: update for breaking clingy changes clingy changed some and this is just fixes for that Change-Id: I729aed6329fe0988fcb9b4407f16966a753b3204 2021-05-25 00:11:50 +01:00			`ap.notBefore = params.Flag("not-before",`
cmd/uplinkng: access creation/restriction and review fixes Change-Id: I649ae3615363685c28c39d1efb6a65fcad507f46 2021-06-22 23:41:22 +01:00			`"Disallow access before this time (e.g. '+2h', 'now', '2020-01-02T15:04:05Z0700')",`
			`time.Time{}, transformHumanDate, clingy.Type("relative_date")).(time.Time)`
cmd/uplinkng: update for breaking clingy changes clingy changed some and this is just fixes for that Change-Id: I729aed6329fe0988fcb9b4407f16966a753b3204 2021-05-25 00:11:50 +01:00			`ap.notAfter = params.Flag("not-after",`
cmd/uplinkng: access creation/restriction and review fixes Change-Id: I649ae3615363685c28c39d1efb6a65fcad507f46 2021-06-22 23:41:22 +01:00			`"Disallow access after this time (e.g. '+2h', 'now', '2020-01-02T15:04:05Z0700')",`
			`time.Time{}, transformHumanDate, clingy.Type("relative_date")).(time.Time)`
cmd/uplinkng: initial commit with skeleton Change-Id: I764618cc60c46882955e9b08b72b3c162aa4929f 2021-03-31 16:56:34 +01:00			`}`

cmd/uplinkng: share command added In uplink we have command uplink share and we need to port it to uplinkng to have command with same functionality. Command could be executed with parameter or without. without any flags we share as readonly. Change-Id: I973b11d00da237358834acf5a863ebab37e684cc 2021-11-03 13:51:47 +00:00			`func (ap *accessPermissions) SetupWithPrefixArg(params clingy.Parameters) {`
			`ap.Setup(params)`

			`argPrefixes := params.Arg("prefix", "Key prefix access will be restricted to",`
			`clingy.Transform(ulloc.Parse),`
			`clingy.Transform(transformSharePrefix),`
			`clingy.Repeated,`
			`).([]uplink.SharePrefix)`

			`if argPrefixes != nil {`
			`ap.prefixes = argPrefixes`
			`}`
			`}`

			`func transformSharePrefix(loc ulloc.Location) (uplink.SharePrefix, error) {`
			`bucket, key, ok := loc.RemoteParts()`
			`if !ok {`
			`return uplink.SharePrefix{}, errs.New("invalid prefix: must be remote: %q", loc)`
			`}`
			`return uplink.SharePrefix{`
			`Bucket: bucket,`
			`Prefix: key,`
			`}, nil`
			`}`

cmd/uplinkng: access creation/restriction and review fixes Change-Id: I649ae3615363685c28c39d1efb6a65fcad507f46 2021-06-22 23:41:22 +01:00			`func (ap accessPermissions) Apply(access uplink.Access) (*uplink.Access, error) {`
			`permission := uplink.Permission{`
cmd/uplinkng: share command added In uplink we have command uplink share and we need to port it to uplinkng to have command with same functionality. Command could be executed with parameter or without. without any flags we share as readonly. Change-Id: I973b11d00da237358834acf5a863ebab37e684cc 2021-11-03 13:51:47 +00:00			`AllowDelete: ap.AllowDelete(),`
			`AllowList: ap.AllowList(),`
			`AllowDownload: ap.AllowDownload(),`
			`AllowUpload: ap.AllowUpload(),`
cmd/uplinkng: access creation/restriction and review fixes Change-Id: I649ae3615363685c28c39d1efb6a65fcad507f46 2021-06-22 23:41:22 +01:00			`NotBefore: ap.notBefore,`
			`NotAfter: ap.notAfter,`
cmd/uplinkng: initial commit with skeleton Change-Id: I764618cc60c46882955e9b08b72b3c162aa4929f 2021-03-31 16:56:34 +01:00			`}`
cmd/uplinkng: access creation/restriction and review fixes Change-Id: I649ae3615363685c28c39d1efb6a65fcad507f46 2021-06-22 23:41:22 +01:00
cmd/uplinkng: initial setup Change-Id: If4df3ec8b3b554f5228d43e97503eb8a87525b23 2021-08-13 20:31:04 +01:00			`// if we aren't actually restricting anything, then we don't need to Share.`
			`if permission == (uplink.Permission{`
			`AllowDelete: true,`
			`AllowList: true,`
			`AllowDownload: true,`
			`AllowUpload: true,`
			`}) && len(ap.prefixes) == 0 {`
			`return access, nil`
			`}`

cmd/uplinkng: access creation/restriction and review fixes Change-Id: I649ae3615363685c28c39d1efb6a65fcad507f46 2021-06-22 23:41:22 +01:00			`access, err := access.Share(permission, ap.prefixes...)`
			`if err != nil {`
			`return nil, errs.Wrap(err)`
			`}`

			`return access, nil`
cmd/uplinkng: initial commit with skeleton Change-Id: I764618cc60c46882955e9b08b72b3c162aa4929f 2021-03-31 16:56:34 +01:00			`}`
cmd/uplinkng: share command added In uplink we have command uplink share and we need to port it to uplinkng to have command with same functionality. Command could be executed with parameter or without. without any flags we share as readonly. Change-Id: I973b11d00da237358834acf5a863ebab37e684cc 2021-11-03 13:51:47 +00:00
			`func (ap *accessPermissions) AllowDelete() bool {`
			`return !ap.disallowDeletes && !ap.readonly`
			`}`

			`func (ap *accessPermissions) AllowList() bool {`
			`return !ap.disallowLists && !ap.writeonly`
			`}`

			`func (ap *accessPermissions) AllowDownload() bool {`
			`return !ap.disallowReads && !ap.writeonly`
			`}`

			`func (ap *accessPermissions) AllowUpload() bool {`
			`return !ap.disallowWrites && !ap.readonly`
			`}`